In this blog, we will be going over the fundamental audit concepts and principles for ISO 27001. Dive in and learn these concepts!
The 4 standards that relate to auditing are:
- ISO 19011 – not specific on security, but gives the foundation for the art of auditing
- ISO 17021 – the standard that guides certification bodies on how to run their processes
- ISO 27007 – guidelines on auditing information security management systems
- ISO 27008 – guidelines for the assessment of security controls
Naturally, ISO 27001 is different from the above in the sense that companies from all industries can comply with its requirements and get their ISMS certified.
What is an Audit?
Critical elements of an audit, as per ISO 19011, Clause 3.1 are:
- Systematic – following a process approach
- Independent – unbiased
- Document process for – there is a paper trail
- Obtaining Objective – unbiased
- Evidence and – physical, and digital records to show compliance
- Evaluating it objectively – reviewing the record against requirements
- To determine the extent to which the audit criteria are fulfilled – criteria are defined within the audit plan
Different Types of Audits:
- Internal audit – the organization auditing its own processes to improve
- Second party audit
- Customers audit their suppliers
- Organizations auditing external providers
- Third-party audits – implementing a 3rd party standard, like ISO 27001, and then asking a 3rd party company to come give its professional opinion on the compliance to that standard
- Pre-assessment audit – done by the 3rd party certification body to check whether your organization is ready for the official certification audit
Involved Parties
- Audit client – the company paying for the audit
- Auditee – the organization being audited
- Audit team – the auditor(s) doing the audit + technical experts if needed
- Audit – person gathering the evidence
- Technical expert – working with the auditors to provide their professional expertise, and are not auditing the process – they simply provide information to the auditor
The Audit Objectives
As defined in ISO 17021 Clause 9.2.1.2, the goal of doing an audit is as follows:
- Determine the organization’s compliance with audit criteria
- Ensuring the management system meets the needs of all stakeholders
- Determining the effectiveness of the management system to meet the organizational objectives
- Identification of areas for improvement
The Audit Planning Process
Defining the audit criteria for the audit is an important step within the audit planning process.
Before doing the audit plan, it is important to sit down with the audit team and determine the inherent risks of the organization.
The Stage 2 audit planning steps include:
- Learning about the auditee’s mission, objectives and processes
- Defining the audit objectives and audit scope
- Conducting a risk assessment
- Developing the audit strategy
The audit criteria are derived from the scope of certification, and can also be integrated with the any of the following:
- Internal rules and policies
- Laws and regulations
- Relevant interested parties’ requirements
- Other standards
- Commercial contracts and agreements
The audit criteria are used as a reference to determine conformity. Whenever a non-conformity is found it would be in breach of a specific audit criterion.
Audit Risk
Audit risk relates to the chances of the audit being a success. And there are 3 aspects to audit risk:
- Inherent risk – the risk that the organization faces. Eg financial sector faces risks related to financial fraud
- Control risk – where are controls most likely to fail (controls implemented to mitigate risks
- Detection risk – what might I (as an auditor) fail to notice a significant problem
Auditing an Integrated Management Systems
Companies might choose to implement ISO 27001, together with other standards; most commonly ISO 9001. By auditing certain elements of one standard, one can be auditing the same requirement for another standard.
Core Principles/Ethics of an Auditor
Integrity
Operating the audit in an honest, independent and clear manner. Basing all judgements on evidence (or lack thereof).
Fair Presentation
All evidence has to be truthful and accurate. In all cases. Not based on hearsay or opinion. If during the audit, people are not able to provide certain information, this would need to be declared. Not to cause some kind of trouble. But to be transparent.
Due Professional Care
Due professional care is also important whereby the auditor has to follow sound auditing procedures and is using all the required tools.
Evidence-Based Approach
No standard tells you if you have enough evidence or not. As auditors, we must have enough evidence to be able to defend our recommendation for a client’s certification. Now the goal isn’t to find as many NCs as possible. However, the auditor’s role is to help the client find how they are meeting the requirements. The goal of ISO certification is continual improvement; that’s where professional scepticism is important.
Naturally, if we detect illegalities, we cannot turn a blind eye. And depending on the types of activity we are talking about – we might also want to contact the authorities. If you are working for a certification body, it is important to take the necessary legal advice. Auditors are not investigators – our role is to make our report, communicate it as needed, and let authorities do their work.
Confidentiality
As auditors, we have access to confidential information about the client. Naturally, confidentiality is critical whether the client asks for a non-disclosure agreement or not. Auditors cannot have their notes lying around either. If we are required to professionally share certification information – for example, the accreditation authority wants to see records as part of their audit. In such a case, we would naturally share the information -as it would have been pre-agreed. There are also situations where disclosing information is required by law. As stated earlier, one must seek legal advice in such a case.
Independence
There are those who build and implement an ISMS. An auditor needs to have the independence of mind, and also the appearance of independence. If there is a possibility that the auditor can gain something from this audit – for example having worked with the client in the past. Self-review is a situation where an auditor is auditing their own work. If I’m checking my own work, there are deliberate and accidental mistakes that I won’t see.
Therefore, having someone else check your processes is important. Moreover, you cannot audit people with whom you have familiarity – friends and family, but also as a client – after 2 or 3 audits, good to change because we might get complacent. On the contrary, is there external pressure for the auditor to give a certain result? Naturally, this should not be accepted and the right interested parties have to be contacted in such a case.
Further to this, a consultant cannot be lead auditor with a certification body for the same client.
Risk Based Approach
Like with all standards, the auditing standard asks auditors to apply common sense and follow a risk based approach to guide their actions while on the field.
Competencies of Auditor
A lead auditor will organize, and manage the team; including dealing with conflicts. And ultimately it is the lead auditor who needs to make the final findings and present them to the certification committee.
ISO 19011 states that auditors have to be competent in the auditing process. Competence is a blend of the following
- Audit experience
- Initial training
- Continual training
- Professional experience
- Personal qualities
Personal Behaviour
ISO 19011 Clause 7.2.2 states the following desired professional behaviours that are desirable in an auditor:
- Ethical
- Open minded
- Diplomatic
- Observant
- Perceptive
- Versatile
- Tenacious
- Decisive
- Self-reliant
- Able to act with fortitude
- Open to improvement
- Culturally sensitive
- Collaborative